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Abstract — We  study  the  problem  of  characterizing  the  wormhole 
attack,  an  attack  that  can  be  mounted  on  a  wide  range  of  wireless 
network  protocols  without  compromising  any  cryptographic  quan¬ 
tity  or  network  node.  Making  use  of  geometric  random  graphs 
induced  by  the  communication  range  constraint  of  the  nodes,  we 
present  the  necessary  and  sufficient  conditions  for  detecting  and 
defending  against  wormholes.  Using  our  theory,  we  also  present 
a  defense  mechanism  based  on  local  broadcast  keys.  We  believe 
our  work  is  the  first  one  to  present  analytical  calculation  of  the 
probabilities  of  detection.  We  also  present  simulation  results  to 
illustrate  our  theory. 

Index  Terms — wormhole,  security,  vulnerability,  ad  hoc  net¬ 
works,  geometric  random  graph. 

I.  Introduction 

A  wireless  ad  hoc  network  may  be  deployed  in  hostile 
environments,  where  network  nodes  operate  un-tethered.  In 
addition,  the  wireless  medium  exposes  any  message  transmis¬ 
sion  to  anyone  located  within  the  communication  range.  In 
this  paper  we  investigate  a  specific  type  of  emerging  security 
threat  known  as  the  wormhole  attack  [1],  [2].  In  a  wormhole 
attack  an  adversary  records  information  at  an  origin  point, 
tunnels  it  (via  a  faster  or  direct  link)  to  a  destination  point 
more  than  one-hop  away,  and  retransmits  the  information  in  the 
neighborhood  of  the  destination.  Since  a  wormhole  attack  can 
be  launched  without  compromising  any  node,  or  the  integrity 
and  authenticity  of  the  communication,  the  success  of  the  attack 
is  independent  of  the  strength  of  the  cryptographic  method 
that  protects  the  communication.  Hence,  a  wormhole  attack  is 
implemented  with  few  resources  and  is  difficult  to  detect. 

Several  approaches  have  been  presented  for  defending 
against  the  wormhole  attack  [l]-[3].  The  solutions  proposed 
attempt  to  bound  the  distance  that  any  message  can  travel  using 
time-based  methods  [1],  [3],  cryptography  [2],  or  exploiting 
location  information  [1].  Time-based  methods  either  rely  on 
tight  synchronization  between  the  network  nodes  [1],  or  on 
measuring  the  time  of  flight  of  a  challenge-response  [3]  using 
clocks  with  nanosecond  accuracy.  Location-based  methods  also 
require  loose  synchronization  between  nodes  [1].  In  [2],  net¬ 
work  nodes  use  cluster  keys  to  broadcast  to  their  immediate 
neighbors.  However,  the  authors  of  [2]  noted  their  system  is 
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vulnerable  to  wormholes  during  the  key  establishment  phase, 
due  to  lack  of  any  verification  mechanism.  On  the  other  hand, 
we  present  a  solution  that  utilizes  a  combination  of  location 
information  and  cryptography  to  prevent  the  wormhole  attack. 
We  list  our  contributions  next. 

Our  contributions:  We  present  a  graph  theoretic  model  for 
characterizing  the  wormhole  attack  and  derive  the  necessary 
and  sufficient  conditions  for  any  candidate  solution  to  prevent 
wormholes.  Using  our  theory,  we  then  propose  a  Local  Broad¬ 
cast  Key  (LBK)  based  method  to  secure  an  ad  hoc  network 
from  wormhole  attacks.  In  doing  so,  we  show  that  LBK  solu¬ 
tion  satisfies  the  necessary  graph  theoretic  condition.  We  also 
present  a  decentralized  realization  for  LBK  establishment,  and 
provide  an  analytical  evaluation  of  the  security  level  achieved 
by  our  scheme  based  on  spatial  statistics  theory. 

Unlike  in  [1],  [3],  our  solution  does  not  require  time 
synchronization,  or  highly  accurate  clocks,  and  only  a  small 
fraction  of  nodes  need  to  know  their  location.  Our  approach 
has  low  overhead  in  computation  and  communication,  suitable 
for  wireless  sensor  networks. 

The  paper  is  organized  as  follows:  The  Section  II  describes 
the  wormhole  problem,  and  its  graph  theoretic  representation. 
In  Section  III,  we  state  our  network  model  assumptions. 
Section  IV  shows  how  LBKs  defend  against  wormholes  and 
the  presents  a  mechanism  to  establish  them.  In  Section  V, 
we  describe  how  to  secure  LBK  establishment  mechanism 
from  wormholes.  In  Section  VI,  we  present  the  performance 
evaluation,  and  Section  VII  presents  our  conclusions. 

H.  Problem  Statement 
A.  Description  of  wormhole 

To  launch  a  wormhole  attack,  an  adversary  establishes  a 
direct  link  referred  as  wormhole  link  between  two  points  in 
the  network.  A  direct  link  can  be  established  via  a  wireline,  a 
long-range  wireless  transmission,  or  an  optical  link.  Once  the 
wormhole  link  is  operational,  the  adversary  eavesdrop  messages 
at  one  end,  referred  as  the  origin  point,  tunnels  them  through 
the  wormhole  link  and  replays  them  in  a  timely  fashion  at  the 
other  end,  referred  as  the  destination  point. 

In  the  wormhole  model,  it  is  assumed  that  the  adversary 
does  not  compromise  the  integrity  and  authenticity  of  the 
communication,  and  any  cryptographic  quantity  remains  secret. 
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Fig.  1.  Wormhole  attack  against  a  distance  vector  based  routing  protocol. 

If  an  adversary  had  access  to  cryptographic  keys,  it  could 
generate  and  forge  any  authentic  message,  and  inject  it  back 
into  the  network  with  no  assistance  from  wormholes. 

B.  Wormhole  threat  against  network  protocols 

Various  wormhole  attack  scenarios  disrupting  network  pro¬ 
tocols  and  applications  are  available  from  [1],  [4].  We  now 
illustrate  how  a  wormhole  attack  can  disrupt  the  distance  vector 
based  ad  hoc  routing  protocols  such  as  DSDV  [5]  or  ADV  [6]. 

Figure  1  presents  an  ad  hoc  network  of  13  nodes  and  a  worm- 
hole  link  between  nodes  sg  and  52.  If  the  routing  table  of  node 
59  is  tunneled  through  the  wormhole  link,  node  52  will  hear 
the  broadcast  and  assume  that  node  59  is  a  one-hop  neighbor. 
Node  52  will  update  and  broadcast  its  routing  table  entries  for 
one-hop  neighbor  node  59,  and  nodes  {58,510,511,512}  that 
are  now  reachable  via  two  hops.  Similarly,  other  neighbors 
of  52  will  adjust  their  own  routing  tables.  Note  that  nodes 
{51,53,54,55,57}  will  now  route  via  52  to  reach  any  of  the 
nodes  {59,510,511,512}.  Hence,  with  minimal  resources,  an 
attacker  can  redirect  and  observe  a  large  amount  of  traffic  as 
desired.  Furthermore,  by  simply  switching  the  wormhole  link 
on  and  off,  the  attacker  can  trigger  a  route  oscillation  within 
the  network,  thus  leading  to  a  denial-of- service  (DoS)  attack. 

From  these  examples,  we  note  that  a  wormhole  in  essence 
creates  a  communication  link  between  an  origin  and  a  desti¬ 
nation  point  that  could  not  exist  with  the  use  of  the  regular 
communication  channel.  Hence,  a  wormhole  modifies  the  con¬ 
nectivity  matrix  of  the  network  and  can  be  described  by  a  graph 
abstraction  of  the  ad  hoc  network  as  described  next. 


The  existence  of  wormhole  links  violates  the  geometric  graph 
model,  by  allowing  links  longer  than  r,  thus  transforming  the 
initial  geometric  graph  G(  V,  r)  into  a  logical  connectivity  graph 
G{V^Eq),  where  arbitrary  connections  can  be  established. 
Hence,  a  non-trivial  wormhole  will  always  increase  the  entries 
of  the  connectivity  matrix  of  G(V,  r). 

A  candidate  solution  preventing  the  wormhole  attack  should 
reconstruct  the  original  geometric  random  graph  G(V,  r),  or  by 
imposing  a  less  strict  requirement,  should  transform  the  logical 
graph  G{V^Eq)  to  a  logical  graph  G' (V,  Eq'),  in  which,  for 
any  link  between  a  pair  of  nodes  i,j,  condition  1  is  always 
satisfied.  We  formalize  these  ideas  in  theorem  1. 

Theorem  1:  Given  a  geometric  random  graph  G{V,r)  de¬ 
fined  as  in  (1),  and  an  arbitrary  logical  graph  G{V,E^),  a 
transformation  S'  :  G  x  G  ^  G'  of  G{V,Eq)  into  a  logical 
graph  G'(V,  Eq')  is  a  solution  to  the  wormhole  problem  ijfiht 
set  of  edges  of  G'  is  a  subset  of  the  set  of  edges  of  the  G(V,  r), 
i.e.  Eq'  E  Eg. 

Proof:  Assume  that  G'  =  S{G,G)  prevents  the  wormhole 
attack.  Let  Gx  denote  the  connectivity  matrix  of  graph  X.  If 
Eg'  ^  Eg,  there  a  exist  a  pair  of  nodes  (i,  j)  for  which: 
CG{hj)  =  0  and  GG'ihj)  =  1-  For  such  node  pairs, 
^{hj)  =  with  ||i  —  ill  >  r,  violating  the  communication 
range  constraint.  Hence,  in  order  for  S{G,G)  to  prevent  the 
wormhole  attack,  it  follows  that:  Eg'  E  Eg- 

The  converse  follows  immediately.  If  Eg'  E  Eg,  then 
CG'ihj)  <  C'G(Li),Vi,i  G  V.  Hence,  there  is  no  edge 
^  Eg'  such  that  e'{i,j)  =  1,  \\i  —  j\\  >  r,  and  hence, 
the  graph  G'  is  void  of  any  wormhole.  ■ 

A  trivial  graph  G'  with  no  links  {Eg'  =  0)  satisfies  the 
conditions  of  the  theorem  1 .  However,  to  ensure  communication 
between  all  network  nodes,  we  seek  solutions  that  construct  a 
connected  graph. 

We  also  note  that  the  transformation  G'  =  5'(G,  G)  requires 
the  knowledge  of  the  geometric  random  graph  G(V,  r),  defined 
by  the  location  of  the  vertices,  and  the  communication  range  r. 
When  nodes  do  not  have  a  global  view  of  the  network  (know  the 
location  of  other  nodes),  to  verify  theorem  1,  we  must  indirectly 
construct  a  connected  subgraph  of  the  geometric  random  graph 
G(y,r).  Before  we  present  our  solution  on  constructing  such 
subgraph,  we  describe  the  needed  network  model  assumptions. 


C.  A  Graph  theoretic  formulation. 

Consider  an  ad  hoc  network  randomly  deployed  with  any 
node  i  having  a  communication  range  r.  Such  a  network  can  be 
modeled  as  a  geometric  random  graph  [7],  defined  as  follows: 

Geometric  Random  Graph:  Given  a  finite  set  of  vertices  V  C 
IZ^  (d  =  2  for  2-dimensional  space),  we  denote  by  G{V,r) 
the  undirected  graph  with  vertex  set  V  of  randomly  deployed 
nodes,  and  with  undirected  edges  connecting  pairs  of  vertices 
{i,j)  with  ||i  —  jf'll  <  r,  where  ||  .  ||  is  some  norm  on  Ef  [7]. 
The  entries  of  the  edge,  or  connectivity  matrix,  denoted  by  e, 
are  given  by: 


1,  if  ||*-j||<r 
if  \\i-3\\>'r 


(1) 


III.  Network  Model  Assumptions 

Network  setup:  We  assume  that  the  network  nodes  are  ran¬ 
domly  deployed  within  a  specific  region.  We  also  assume  that 
a  small  fraction  of  network  nodes,  called  Guards  is  assigned 
special  network  operations.  Density  of  the  regular  network 
nodes  is  assumed  to  be  and  the  density  of  the  guards 
is  assumed  to  be  pg,  with  ps  ^  pg.  We  assume  that  all 
nodes  utilize  omnidirectional  antennas.  Communication  range 
of  regular  nodes  is  r,  while  that  of  guards  is  R  with  R  >  r. 
Resource  constraints:  We  assume  that  guards  have  access  to 
location  information  through  GPS  [8]  or  some  other  localization 
method,  though  regular  node  may  have  no  location  information. 


We  also  assume  that  nodes  rely  on  efficient  symmetric  cryp¬ 
tography  for  encryption/decryption,  authentication  and  hashing. 
We  also  assume  that  nodes  can  be  pre-loaded  with  keys. 
Statistical  network  model:  It  can  be  shown  [11]  that  the 
random  deployment  of  the  nodes  and  guards  in  an  area  A 
can  be  modeled  after  a  Spatial  Homogeneous  Poisson  Point 
Process  [11].  The  random  placement  of  the  set  U  of  guards 
with  a  density  =  ^  (|  •  I  denotes  the  cardinality  of  a  set) 
is  equivalent  to  a  sequence  of  events  following  a  homogeneous 
Poisson  point  process  of  rate  pg.  The  random  deployment  of 
a  set  S  of  nodes  with  a  density  ps  =  is  equivalent  to  a 
random  sampling  of  A  with  rate  ps  [11]. 

Based  on  Spatial  Statistics  theory  [11],  if  GHg  denotes  the 
set  of  guards  heard  by  a  node  5,  the  probability  that  a  node 
hears  exactly  k  guards  is  given  by  the  Poisson  distribution: 

P{\GHs\  =k)=  (2) 

Using  the  model  in  (2),  we  will  analytically  evaluate  the 
performance  of  our  algorithms. 


IV.  Local  Broadcast  Keys 

In  this  section,  we  first  define  LBKs  and  show  that  LBKs  can 
be  used  to  defend  against  wormhole.  We  then  present  details 
of  a  decentralized  mechanism  for  establishing  LBK,  followed 
by  a  probabilistic  analysis  of  the  security  of  LBK  scheme. 

Definition:  For  a  node  i,  we  define  the  neighborhood  Ni  as: 
=  {i  •  IK  “ ill  ^  Given  a  cryptographic  key  K,  let  Uk 
denote  the  set  of  nodes  that  hold  key  K.  We  assign  a  unique 
key  Ki  called  LBK  of  to  all  j  G  Ni  so  that  Uxi  =  Ni  and 
Ki  7^  Kj ,  Vi  7^  j.  Hence,  by  definition,  all  one-hop  neighbors 
of  node  i  possess  the  LBK  of  node  i.  We  follow  the  convention 
that  any  message  from  node  i  to  j  is  encrypted  with  Ki .  Hence, 
a  link  between  nodes  i,  j  exists  ijf  i  ^  Nj  or  j  E  Ni. 

Theorem  2:  Given  Ki,Ni,  Vi  G  V,  where  V  is  the  set  of 
vertices  defined  by  network  nodes,  and  an  arbitrary  logical 
random  graph  G{V^Eq)^  the  edge  matrix  Eq' ^  defined  by: 


if  i  G  Uk^  U  j  G  Uk, 
if  Else 


(3) 


yields  the  desired  wormhole-free  graph  GfV^Ec')  such  that 
Eg'  G  Eq^  where  G{V,r)  is  the  geometric  random  graph 
defined  in  (1). 

Proof:  By  the  definition  of  Eqg  there  exists  a  link 
^G'ihj)  if  only  if  the  two  nodes  hold  at  least  one  LBK. 
But,  according  to  the  definition  of  LBK,  a  node  i  G  Ukj 
iff  i  ^  Nj,  which  in  turn  implies  that  i,j  satisfy  (1),  which 
defines  the  links  of  the  geometric  random  graph  G{V,r). 
Hence,  eG'{iG)  =  iff  IK -ill  <r.  Hence,  Eq'  =  Eq  and 
therefore,  G'  =  G.  According  to  theorem  1,  if  a  transformation 
S{G,G)  results  in  a  graph  G'{V,Eg')  such  that  Eq'  G  Eq, 
then  G'  is  a  wormhole-free  graph.  ■ 

Note  that  given  LBKs  for  all  nodes,  wormholes  can  be 
eliminated  without  ever  having  to  know  the  location  of  any 
node.  However,  the  challenge  is  to  establish  LBKs  in  the 
presence  of  wormhole  links  and  no  central  authority. 


A.  Decentralized  establishment  of  local  broadcast  keys 

We  present  a  three-step  algorithm  for  LBK  establishment. 
In  the  first  step,  the  guards  distribute  fractional  keys  EKi  to 
nodes  via  broadcasting.  In  step  2,  every  node  broadcasts  the 
Ids  of  the  fractional  keys  that  it  holds.  If  two  nodes  share 
more  than  a  threshold  th  number  of  fractional  keys,  they  use 
all  common  fractional  keys  to  generate  a  pairwise  key.  In 
step  3,  every  node  uses  the  pairwise  keys  to  securely  unicast 
a  local  broadcast  key  to  each  neighbor.  We  first  present  the 
cryptographic  mechanisms  of  our  LBK  scheme. 

1 )  Cryptographic  Mechanisms 

Encryption:  To  protect  the  distribution  of  the  fractional  keys, 
all  transmissions  from  the  guards  are  encrypted  with  a  globally 
shared  symmetric  key  Kq,  pre-loaded  before  deployment.  In 
addition,  every  node  shares  a  symmetric  pairwise  key  Kf.  with 
every  guard  pi,  also  pre-loaded.  In  order  to  save  storage  space 
at  the  guard  side,  the  pairwise  key  Kf  is  derived  by  a  master 
key  Kg. ,  using  a  pseudo-random  function  [12]  h  and  the  unique 
node  I  dp.  Kp  =  hxg.  {Idi).  Hence,  given  an  a  guard  can 
compute  its  pairwise  key  with  the  node  Idi  whenever  needed. 
Guard  Id  authentication:  To  authenticate  the  source  of  the 
fractional  keys  we  use  efficient  one-way  hash  chains  [9].  Each 
guard  Pi  has  a  unique  password  PWi,  blinded  with  the  use 
of  a  collision-resistant  hash  function  such  as  SHAl  [12]. 
Due  to  the  collision  resistance  property,  it  is  computationally 
infeasible  for  an  attacker  to  find  PW[,  such  that  H{PWi)  = 
H{PW'i),  PWi  7^  PW'i.  The  hash  chain  is  generated  as 
follows: 


H°  =  PWi,  W  =  H{W-'^),  i  = 

with  n  being  a  large  number  and  K  never  revealed  to 
any  node.  Due  to  the  one-way  property  it  is  also  infeasible 
to  compute  any  values  of  the  hash  chain  that  have  not  be 
published  by  a  guard.  Each  node  is  pre-loaded  with  a  table 
containing  the  Id  of  each  guard  and  the  corresponding  hash 
value  H^{PWi).  To  reduce  the  storage  needed  at  the  guard 
side,  guards  use  an  efficient  storage/computation  method  for 
hash  chains  of  time/storage  complexity  0(log^(n))  [10]. 

2 )  Steps  of  the  key  establishment  scheme 
[Step  1:]  Initially,  every  guard  pi  generates  a  random  fractional 
key  EKi  and  broadcasts  it.  The  broadcast  message  also  con¬ 
tains  the  coordinates  (X^,  Yi)  of  the  guard,  the  next  unpublished 
value  of  the  hash  chain,  H^~^{PWi),  and  the  hash  chain 
index  m  (m  also  indicates  how  many  beacons  has  each  guard 
transmitted).  The  message  format  is: 


Guard  Pi  :  y,)ll^"“"'(m)IIWi^o.  (4) 

where  {A\\B}k  denotes  concatenation  of  A,B  and 
encryption  with  key  K.  Every  node  verifies  that 
H{H^-^{PWi))  =  H^-^^^{PWi),  for  all  received 

messages  and  stores  the  EKi,  the  coordinates  {Xi^Yf),  the 
latest  published  hash  value  of  the  hash  chain,  H^~^{PWi), 


Fig.  2.  (a)  Guards  gi  ~  broadcast  fractional  keys  Ki  ~  encrypted  with  the  global  broadcast  key  Kq,  (b)  Nodes  announce  the  Ids  of  the  fractional 

keys  that  they  hold,  (c)  neighbor  nodes  that  have  in  common  at  least  three  fractional  keys  (th  =  3)  establish  a  pairwise  key. 


and  the  hash  index  m. 

[Step  2:]  Once  the  nodes  have  collected  the  fractional  keys 
from  all  the  guards  that  they  hear,  they  broadcast  a  message 
indicating  the  Ids  of  the  fractional  keys  that  they  hold.  If 
two  neighbor  nodes  si,S2  have  in  common  fractional  keys 
FKi . . .  FKw  with  w  above  a  threshold  th,  they  establish  a 
pairwise  key  :  =  H{FKi\\FK2\\ . . .  \\FK^),  where  H 

is  a  collision-resistant  hash  function  [9]. 

[Step  3:]  After  pairwise  keys  have  been  established  with  one- 
hop  neighbors,  every  node  generates  an  LBK  Ki  and  unicasts  it 
to  every  neighbor  encrypted  with  the  pairwise  key  Kg-^sj •  Each 
node  stores  its  own  broadcast  key  Ki  used  for  encrypting  its 
own  messages,  and  also  stores  all  broadcast  keys  of  its  one-hop 
neighbors  in  order  to  decrypt  their  broadcast  messages. 

In  figure  2(a)  the  guards  gi  ^  distribute  the  fractional  keys 
to  nodes  si  ^  sj,  encrypted  with  the  global  key  Kq.  In  figure 
2(b),  we  show  the  set  of  guards  that  each  node  hears.  In  figure 
2(c),  by  setting  the  threshold  value  th  =  3,  node  si  establishes 
a  pairwise  key  with  all  its  immediate  neighbors.  Node  si 
will  distribute  a  local  broadcast  key  Kg^  to  all  its  immediate 
neighbors  51^85  using  the  pairwise  keys  established  in  step 
2.  In  figure  3,  we  summarize  our  decentralized  local  broadcast 
key  establishment  scheme. 

Decentralized  local  broadcast  key  establishment  scheme 


U  =  {Set  of  guards},  S  =  {Set  of  nodes} 

U  :  Broadcast  {FKi\\{Xi,Yi)\\H^-^{PWi)\\m}Ko 
S  :  Verify  H{H^-^{PWi))  =  H^-^+^{PWi),\f  gi  G  GHg 
S  :  Broadcast  IDg,  =  {/L>i ||/L>2 1|  •  •  •  \GHs  \  =  w 

for  all  Si  e  S 

for  all  IDgj  heard  by  Si 
if  IDs. )\>th, 

sjeNs,  ^  Ks,,sj=H{FKi\\FK2\\...\\FK^) 

Nsi  =  ^si  U  {sj}  end  if  end  for 

end  for 
for  all  Si  e  S 

for  all  Sj  G  Ns- 

Si  Sj  :  {Ks,}Ks„sj  end  for  end  for 
Fig.  3.  The  decentralized  local  broadcast  key  establishment  scheme. 


Fig.  4.  (a)  All  guards  located  in  the  shaded  area  Ac  are  heard  to  both  nodes 

si,S2,  (b)  Pkey  for  ^  variable  threshold  value  equal  to  th  =  \GHsi  \  —  3. 

B.  Setting  the  key  establishment  threshold 

Since  nodes  and  guards  will  be  randomly  deployed  within  the 
network  region,  specific  number  of  guards  heard  by  nodes  may 
vary.  Hence,  each  node  needs  to  locally  decide  the  threshold 
th  based  on  the  number  of  guards  that  it  hears. 

Consider  figure  4(a),  and  assume  that  a  node  si  can  hear 
\GHs-^  \  guards.  The  probability  Pkey  that  51,52  hear  at  least 
th  common  guards  given  that  \GHs-^  \  guards  are  heard  by  5i 
is  equal  to  the  probability  that  at  least  th  guards  are  located 
within  the  shaded  area  Ac,  given  that  \GHs-^\  of  them  are 
located  within  the  communication  area  of  Ag^  of  5i.  Due  to 
the  random  guard  deployment,  if  \GHs^\  guards  are  located 
within  a  specific  region,  those  guards  are  uniformly  distributed 
[11].  Hence,  the  probability  for  one  guard  to  be  within  Ac 
is  pg  =  The  probability  that  more  than  th  guards  are 

deployed  within  Ac,  given  that  a  total  of  jGKg^  |  are  deployed 
within  ttR^  is: 

Pkey  =  P(IGKAj>thl  IGKs,l=k) 


where  Ac  can  be  computed  from  figure  4(a)  by: 

0  =  cos“^-^,  Ac  =  2R^ (/)  — Rl  sin  (/)  (6) 

2R 

with  /  =  ||5i  —  52||.  Using  (5),  (6),  each  node  can  determine 
its  threshold  th.  In  figure  4(b),  we  present  Pkey  for  different 


Fig.  5.  A  wormhole  attack  against  the  broadcast  of  fractional  keys. 

values  of  guards  heard  \GHs-^\  and  distances  ||si  —  S2\\,  for 
th=  \GHs,\-3. 

V.  Securing  the  broadcast  of  fractional  keys 

Though  once  established  LBKs  prevent  wormholes  (informa¬ 
tion  encrypted  at  a  neighborhood  Ni  with  an  LBK  Ki  cannot 
be  decrypted  outside  Ni),  an  adversary  can  mount  wormhole 
during  the  distribution  of  the  fractional  keys.  We  now  provide 
mechanism  to  secure  the  fractional  key  distribution. 

A.  Wormhole  attack  against  the  fractional  key  distribution 

Consider  figure  5,  where  an  adversary  establishes  a  bi¬ 
directional  wormhole  link  between  nodes  5i,S2,  with  si,52 
being  several  hops  away.  In  step  1  of  the  local  broadcast  key 
establishment  scheme,  guards  broadcast  their  fractional  keys. 
The  adversary  records  all  messages  heard  by  si,  52  and  replays 
the  messages  heard  to  si  in  the  vicinity  of  52,  and  messages 
heard  by  52  in  the  vicinity  of  5i.  After  the  replay,  5i,  52  have 
a  common  set  of  fractional  keys  GHs^  yfGHg^- 


B.  Detection  of  the  wormhole  attack 

We  now  show  how  a  node  can  detect  a  wormhole  attack 
during  the  fractional  key  distribution  using  two  properties: 

Single  guard  property:  Reception  of  multiple  copies  of  an 
identical  message  from  the  same  guard  is  due  to  replay  or 
multipath  effects. 

Proof:  Since  guards  include  a  different  hash  value  from 
the  hash  chain  on  every  message  they  transmit,  if  a  node 
receives  an  identical  message  more  than  one  times,  it  can  only 
be  because,  (a)  a  malicious  entity  replays  the  message  or  (b) 
there  are  multipath  effects.  If  we  treat  multipath  effects  as  a 
replay  attack,  then  any  node  receiving  the  same  transmission 
multiple  times,  assumes  it  is  under  a  replay  attack.  ■ 

In  figure  6(a),  As  denotes  the  area  where  guards  heard  to 
node  5  are  located  (circle  of  radius  R  centered  at  5),  Ao  denotes 
the  area  where  guards  heard  at  the  origin  point  of  the  attack 
are  located  (circle  of  radius  R  centered  at  O)  and  Ac  denotes 
the  common  area  Ac  =  As  O  Aq.  An  adversary  that  records 
guards’  transmissions  heard  at  point  O  and  replays  them  to 
node  5  can  be  detected  due  to  the  single  guard  property  with 
a  probability  P{SG)  equal  to  the  probability  that  at  least  one 
guard  lies  within  A^ 

P{SG)  =  P{\GHa^  I  >  1)  =  1  - 


In  figure  6(b),  we  show  the  detection  probability  P{SG)  for 
guard  densities  pg,  for  distances  0  <  ||s  — 0||  <  3R,  normalized 
over  R.  We  observe  that  if  ||5  —  0||  >  2R,  the  single  guard 
property  cannot  detect  a  wormhole  attack.  We  make  use  of  the 
following  property  to  identify  wormholes  when  ||5  — 0||  >  2R. 

Communication  range  constraint  property:  A  node  5  cannot 
hear  two  guards  G  GHs,  that  are  more  than  2R  apart, 

i.e.  \\9i-gj\\  <  2R,  i^j. 

Proof:  Any  guard  pi  G  GHs  heard  by  node  5,  has  to  lie 
within  a  circle  of  radius  R,  centered  at  the  node  5,  —  5||  < 

i?,  Vi  G  GHs.  Hence,  there  cannot  be  two  guards  within  a  circle 
of  radius  R,  that  are  more  than  2R  apart. 


Wpi  —  Pj II  <  Wpi  —  <^11  P  ~  9j\\  <  R  P  R  —  2R  (8) 


We  now  compute  the  detection  probability  P{GR)  based  on 
the  communication  range  constraint  property.  Consider  figure 
6(c)  where  if  any  two  guards  within  As ,  Ao  have  a  distance 
larger  that  2R  the  attack  is  detected.  Though  P{GR)  is  not 
easily  computed  analytically,  we  can  extract  a  lower  bound  on 
P{GR)  as  follows.  In  figure  6(c),  the  vertical  lines  defining 
shaded  areas  Ai ,  Aj ,  are  perpendicular  to  the  line  connecting 
5,0,  and  have  a  separation  2R.  If  there  is  at  least  one  guard 
in  the  shaded  area  Ai  and  at  least  one  guard  in  the  shaded 
area  Aj,  then  \\gi  —  PjW  >  2R  and  the  attack  is  detected.  Note 
that  this  event  does  not  include  all  possible  cases  for  which 
Wdi  ~  9 j\\  P  and  hence  it  yields  a  lower  bound. 


P{GR)  =  P{\\g,-gf\>2R,gi,gjeGHs) 

>  P{CRf]{\GHA,\  >On\GHAj  >  0))  (9) 
=  P{CR\{\GHA,\>0n\GHAj>0)) 

P{\GHA,\>0n\GHAj>0)  (10) 

=  P{\GHA,>0\n\GHA,>0\)  (11) 

=  (1  -  (12) 


where  (9)  follows  from  the  fact  that  the  probability  of  the  inter¬ 
section  of  two  events  is  always  less  or  equal  to  the  probability 
of  one  of  the  events,  (10)  follows  from  the  definition  of  the 
conditional  probability,  (11)  follows  from  the  fact  that  when 
{GHa^  I  >  0  n  {GHaj  I  >  0,  we  always  have  a  communication 
range  constraint  violation  (P{GR\{\GHAf  >  ODIGHajI  > 
0))  =  1),  and  (12)  follows  from  Ai^Aj  being  disjoint  areas. 

We  can  show  that  the  lower  bound  on  P{CR)  is  maximized 
when  Ai  =  Aj,  but  the  proof  is  omitted  due  to  space 
limitations.  In  figure  6(d),  we  show  the  lower  bound  on 
P{GR),  by  setting  A'  =  maxilA^}  such  that  Ai  =  Aj. 
Note  that  for  values  ||5  —  0||  >  R,  P{GR)  is  very  close  to 
unity  for  any  value  of  pg.  The  lower  bound  P{GR)  increases 
with  the  increase  of  ||5  —  0||  and  attains  its  maximum  value 
for  ||5  —  0||  =  AR  when  Ai  =  Aj  =  ttR^.  For  values 
||5  —  0||  >  AR  the  lower  bound  on  P{GR)  is  equal  to  the 
case  of  ||5  —  0||  =  AR. 


(7) 


Fig.  6.  Single  guard  property,  (a)  a  node  s  cannot  hear  multiple  copies  of  an  identical  message,  (b)  Detection  probability  P(SG).  Communication  range 
constraint  violation,  (c)  a  sensor  cannot  hear  two  guards  that  are  more  than  2R  apart,  (d)  Detection  probability  P{CR). 


Detection  probability  of  a  wormhole  attack:  By  combining 
the  two  previously  presented  detection  mechanisms  we  can 
derive  a  lower  bound  on  the  probability  of  wormhole  detection 
Pdet  during  the  broadcast  of  the  fractional  keys.  By  setting 
Ai  =  Aj  and  maximizing  Ai  regardless  of  the  distance  ||5  — 0||, 
the  areas  Ai^Aj^Ac  do  not  overlap  as  shown  in  figure  8(a). 
Hence,  the  events  of  a  guard  being  located  at  any  of  these  areas 
are  independent  and  we  can  derive  a  lower  bound  on  PdeP 

Pdet  =  P{SG  U  CR)  =  P{SG)  +  P{GR)  (1  -  P{SG)) 

>  (1  -  +  (1  -  (13) 

The  quantity  in  (13)  is  a  lower  bound  on  P^et  since  we 
used  the  lower  bound  on  P{CR).  In  figure  8(b),  we  show  the 
lower  bound  on  P^et  fof  P  ^  [0,4i?].  Note  that  the  lowest 
detection  probability  is  Pdet  >  99.48%,  attained  at  pg  =  0.01. 
From  figure  8(b),  we  observe  that  a  wormhole  attack  during  the 
distribution  of  the  fractional  keys  is  detected  with  a  probability 
very  close  to  unity,  independent  of  the  distance  ||5  —  0||. 


(a)  (b) 

Fig.  8.  (a)  Combination  of  the  single  guard  and  communication  range 

constraint  properties,  (b)  Wormhole  detection  probability  Pdet- 


( 1  —  e  For  a  desired  probability  Pm ,  we  can  compute 

Pg,r  as: 


■npg  ’  “  Trr^ 

Closest  Guard  Algorithm  (CGA) 


(14) 


C.  Key  establishment  in  the  presence  of  wormholes 

Although  a  wormhole  can  be  detected  using  the  two  detection 
mechanisms,  a  node  under  attack  cannot  distinguish  the  valid 
subset  of  guards  from  the  replayed  ones.  We  now  describe  the 
Closest  Guard  Algorithm  (CGA)  to  resolve  the  guard  ambiguity. 

CGA  -  The  node  s  broadcasts  a  nonce  p  along  with  its  Id 
and  waits  for  the  first  authentic  reply  from  a  guard  pi.  All 
guards  that  hear  nonce  reply  with  a  message  containing 
their  coordinates,  the  next  hash  value  of  their  hash  chain  and 
the  nonce  p.  The  message  transmitted  from  each  guard  is 
encrypted  with  the  pairwise  key  only  known  to  s^pi. 
The  node  identifies  the  guard  p[  whose  reply  arrives  first 
as  the  closest  guard  to  s.  Then  using  the  communication 
range  constraint  property,  it  identifies  the  set  GH'^  as  all  the 
guards  that  are  not  more  than  2R  away  from  p'-,  and  uses  the 
fractional  keys  received  from  GH'^  to  establish  pairwise  keys 
with  its  immediate  neighbors. 


1.  s  :  Broadcast  {p\\Ids}. 

2.  if  Qi  hears  {r?||/4}, 

Reply  {  {Xi,Yi)  \\p\\  IDg^  ||  H^-^{PWi)  ||  m 

3.  Identify  p[  G  GHg  that  replies  first  with  correct  nonce. 

4.  Set  GH'^  :  {pi  G  GH^  9  U  -  9i\\  <  2^^}- 


VI.  Performance  Evaluation 

Simulation  setup:  We  generated  random  network  topologies 
confined  in  a  square  area  of  size  ^=10,000.  For  each  network 
topology  we  randomly  placed,  (a)  5,000  nodes  within  A,  with 
a  communication  range  r  =  4,  (b)  guards  with  variable  density 
pg  and  communication  range  R.  To  ensure  statistical  validity, 
we  repeated  each  experiment  for  1,000  networks  and  averaged 
the  results.  Note  that  to  avoid  border  effects  we  considered 
toroidal  distance  instead  of  regular  Euclidean  distance  [11]. 


To  execute  CGA,  a  node  must  be  able  to  communicate  bi¬ 
directionally  with  at  least  one  guard.  The  probability  Ps^g  of  a 
node  having  a  bi-directional  link  is:  Ps^g  =  1  —  .  From 

Ps^g,  we  can  compute  the  probability  Pm  that  all  nodes  can 
bi-directionally  communicate  with  at  least  one  guard:  Pm  = 


Key  establishment  with  one-hop  neighbors:  In  our  first 
experiment  we  evaluated  the  percentage  of  one-hop  (immediate) 
neighbors  Pimmed  that  each  node  is  able  to  establish  a  local 
broadcast  key  with.  In  figure  7(a),  we  present  Pimmed  vs. 
GHg—th  for  variable  guard  density  pg.  Note  that  we  preferred 


Fig.  7.  Percentage  of  immediate  neighbors  that  share  more  than  th  fractional  keys  for  Vg  =  0.5,  A=  10.000  for,  (a)  varying  guard  density  pg,  (b)  varying 
guard  communication  range  R.  Percentage  of  non-immediate  neighbors  that  share  more  than  th  fractional  keys  for  rg  =  0.5,  A=  10.000  for,  (c)  varying  guard 
density  pg,  (d)  varying  guard  communication  range  R. 


to  plot  Pimmed  VS.  GHg  —  th,  instead  of  th  since  th  varies 
locally  for  every  node  s  depending  on  GHq. 

We  observe  in  figure  7(a)  that  an  increase  in  pg,  requires  a 
higher  difference  GHg  —  th  to  achieve  the  same  Pimmed-  This 
is  due  to  the  fact  that  while  increasing  density  increases  the 
number  of  guards  heard  by  more  nodes,  the  joint  probability  of 
many  guards  being  heard  by  multiple  nodes  does  not  increase 
as  much  as  GHg.  Hence,  a  threshold  value  close  to  GHg  will 
isolate  a  node  s  from  many  of  its  one-hop  neighbors.  Hence, 
we  need  to  select  a  th  significantly  lower  than  GHg.  Figure 
7(b)  presents  Pimmed  fof  different  guard  communication  range 
R.  Note  that  an  increase  in  R  requires  a  th  significantly  lower 
than  GHs,  to  avoid  one-hop  neighbor  isolation. 

Isolation  of  non-immediate  neighbors:  In  our  second  experi¬ 
ment  we  evaluated  the  percentage  of  non-immediate  neighbors 
Pnon-im  that  share  more  than  th  fractional  keys  as  th  varied. 
For  each  node,  we  took  into  account  in  the  percentage  calcu¬ 
lation,  only  those  neighbors  that  heard  at  least  one  common 
guard  with  the  node  under  consideration. 

In  figure  7(c),  we  show  both  Pnon-im  vs.  GHg  —  t/i  in  a 
logarithmic  scale  for  varying  pg ,  and  show  how  we  can  achieve 
higher  isolation  of  non-immediate  neighbors  with  the  increase 
of  pg.  This  is  due  to  the  fact  that  as  pg  increases,  more  guards 
are  heard  to  each  node  and  hence,  we  can  adjust  the  threshold 
with  better  accuracy  compared  to  the  case  where  GHg  has 
a  low  value.  In  figure  7(d),  we  present  both  Pimmed  and 
Pnon-im  fof  different  guard-to-node  communication  range  R, 
and  show  how  we  achieve  higher  isolation  of  non-immediate 
neighbors  with  the  increase  of  R. 

Choosing  the  threshold  value:  From  figures  7(a)-(d)  we  can 
determine  the  appropriate  value  of  threshold  th  based  on  our 
security  constraint  and  system  parameters.  For  example,  if  our 
security  constraint  requires  a  non-immediate  neighbor  isolation 
above  99%,  we  can  achieve  a  Pimmed  =  0.64  for  pg  =  0.01 
when  th  =  GHg  —  2.  By  increasing  the  guard  density  to  pg  = 
0.04  for  the  same  constraints,  we  can  achieve  Sipimmed  =  0.90. 
Hence,  under  any  security  constraints,  we  can  select  the  system 
parameters,  pg,  R,  so  that  we  maximize  Pimmed,  while  keeping 
Pnon-im  Under  the  given  constraint. 


VH.  Conclusion 

We  presented  a  graph  theoretic  approach  characterizing 
recently  reported  [1]  wormhole  attacks  on  wireless  ad  hoc 
networks.  We  derived  the  necessary  and  sufficient  conditions  for 
any  transformation  to  remove  wormholes,  and  showed  that  any 
candidate  solution  preventing  a  wormhole  attack  must  produce 
a  connected  subgraph  of  the  geometric  graph  model  of  the  net¬ 
work.  We  also  proposed  a  cryptography-based  solution  relying 
on  local  broadcast  keys  and  provided  a  distributed  mechanism 
for  establishing  them  in  randomly  deployed  networks.  We 
analytically  determined  the  level  of  security  achieved  by  our 
scheme  based  on  spatial  statistics  theory.  We  showed  that  the 
appropriate  choice  of  network  parameters  eliminates  wormhole 
links  with  a  probability  close  to  unity  and  verified  the  validity  of 
our  results  via  simulations.  It  is  our  claim  that  in  the  absence 
of  location  or  distance  bounding,  we  must  use  probabilistic 
techniques  for  dealing  with  wormholes. 
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